In August 2023, India enacted the Digital Personal Data Protection Act (DPDPA), a comprehensive data protection law regulating the management of personal data. Once in force, it will have a significant effect on the gig economy.

The gig economy has disrupted traditional employment, with the number of gig workers in the Indian workforce projected to reach 23.5 million by 2030. This transformation has been driven by digital platforms connecting gig workers with customers for a range of services, a process often referred to as platformisation. It highlights the role of data in real-time operations, from matching workers with consumers to personalising user experiences, setting dynamic prices, forecasting demand and encouraging participation by using algorithmic tools. These businesses are inherently data-driven, making compliance with the DPDPA a priority.

The existing data protection framework, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules), imposes specific obligations on entities handling sensitive personal data and information (SPDI). This includes passwords, financial data, health and medical information and biometric information. Consent is the sole ground for processing SPDI, and companies usually obtain such consent through employment contracts or privacy notices tailored to employees. However, the SPDI rules offer no alternative legal bases for processing personal data, nor do they address specific requirements for HR or employment data. Companies handling gig workers’ data often have to rely on privacy notices and partner agreements. There are two grounds in the DPDPA for processing personal data: consent and legitimate use. One legitimate use is processing employee data for employment-related purposes. However, the DPDPA does not define what an employment-related purpose is, leaving ambiguity to the status of how gig workers’ data may be processed.